The Information Commissioner’s Office (ICO) has launched a consultation over a “Draft Anonymisation code of practice”, which is intended to assist organisations in the disclosure of anonymised information about individuals without first requiring their consent. Under the Data Protection Act 1998 (DPA), organisations have to process personal data fairly and lawfully and for specific, explicit and legitimate purposes only.
In the draft Code, the ICO has set out that the DPA will not apply if personal data is properly anonymised before it is disclosed. The ICO has said that, in order to release information without breaching the DPA, organisations have to make sure that personal data is anonymised sufficiently to ensure that it is not “reasonably likely” that an individual can be identified from that anonymised information when read together with other information available to the public elsewhere.
Organisations should consider whether a “motivated intruder” could achieve identification if “minded to do so”. A motivated intruder would be someone who would take all reasonable steps to try to identify someone.
The ICO has said that such anonymous disclosure would not breach the DPA even though the disclosing organisation would hold the “key” to allow individuals to be identified from the information disclosed.
The consultation is open until 23 August 2012.